Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following a sophisticated supply chain attack targeting the popular open-source vulnerability scanner, Trivy. This incident, attributed to a threat actor known as TeamPCP, highlights the escalating risks to developer environments and the widening blast radius of compromised software dependencies.
The compromised versions of Trivy, specifically tags 0.69.4, 0.69.5, and 0.69.6, were pushed to Docker Hub without corresponding official releases on GitHub. These malicious images contained indicators of compromise linked to an infostealer previously observed in earlier stages of this campaign. The last known clean release of Trivy on Docker Hub was version 0.69.3.
Trivy Supply Chain Attack Escalates with Malicious Docker Images
The attack originated from a supply chain compromise of Trivy itself, a tool widely used for scanning container images for vulnerabilities. Threat actors exploited a compromised credential to inject a credential stealer into trojanized versions of Trivy. This compromise extended to two related GitHub Actions: “aquasecurity/trivy-action” and “aquasecurity/setup-trivy,” further amplifying the potential impact.
The downstream effects of this incident have been significant. Attackers leveraged data stolen from the initial compromise to compromise dozens of npm packages. These affected packages were subsequently used to distribute a self-propagating worm, identified as CanisterWorm, demonstrating the interconnectedness of software supply chains and the potential for cascading failures.
TeamPCP’s Escalating Tactics in Cloud Environments
Adding to the severity of the breach, all 44 internal repositories associated with Aqua Security’s “aquasec-com” GitHub organization were defaced. According to the OpenSourceMalware team, these repositories were renamed with a “tpcp-docs-” prefix, and their descriptions were altered to state “TeamPCP Owns Aqua Security.” All these modifications occurred within a brief, scripted two-minute window on March 22, 2026. Analysis indicates that a compromised “Argon-DevOps-Mgt” service account was likely leveraged for this widespread defacement.
“Our forensic analysis of the GitHub Events API points to a compromised service account token — likely stolen during TeamPCP’s prior Trivy GitHub Actions compromise — as the attack vector,” stated security researcher Paul McCarty. He further explained that this service account, created in July 2023, bridged both GitHub organizations and granted the attacker administrative access to both, making it a critical weak point.
This latest development underscores TeamPCP’s growing sophistication and their reputation for targeting cloud infrastructures. The group has progressively demonstrated capabilities to systematically expose Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. Their motivations appear to span data theft, ransomware deployment, extortion, and cryptocurrency mining, indicating a multi-faceted threat.
The emergence of a new wiper malware attributed to TeamPCP exemplifies their evolving tactics. This malware spreads via SSH using stolen keys and exploits exposed Docker APIs on port 2375 within local subnets. Beyond credential theft, this payload has been observed wiping entire Kubernetes (K8s) clusters, with a specific focus on systems located in Iran.
Implications for Developers and Cloud Security
AIkido security researcher Charlie Eriksen detailed the Kubernetes attack’s methodology. It involves deploying privileged DaemonSets across all nodes, including control planes. Iranian nodes are targeted for wiping and forced rebooting via a container named ‘kamikaze.’ Non-Iranian nodes receive the CanisterWorm backdoor installed as a systemd service. Additionally, non-Kubernetes Iranian hosts are subjected to data erasure via the command ‘rm -rf / –no-preserve-root.’
Given the ongoing nature of this threat, organizations are strongly advised to review their utilization of Trivy within CI/CD pipelines. It is crucial to avoid any versions affected by this compromise and to treat any recent executions of Trivy in development environments as potentially compromised. The incident serves as a stark reminder of the long-term implications of supply chain attacks.
“A credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization,” noted OpenSourceMalware. “The Argon-DevOps-Mgt service account—a single bot account bridging two orgs with a long-lived PAT—was the weak link.” The incident highlights the vulnerability of the security vendor ecosystem itself to cloud-native threat actors.
Moving forward, organizations will need to closely monitor for any further exploitation of cloud-native services and supply chain vulnerabilities by TeamPCP. The group’s demonstrated ability to adapt and escalate its attack methods means that continuous vigilance and robust security practices are more critical than ever.